30x Faster Modern Segmentation for Enterprises

“No more soft chewy centers.”  With this quote, John Kindervag of Forrester introduced the world to the Forrester Zero Trust model. More importantly, he exposed the reality that modern data centers, whether they be on premises, in clouds, or a combination of both, are open, vulnerable, and easy targets of attack and exploit. 

By far the biggest problem enterprise administrators face is that data centers lack tools to easily implement and manage segmentation techniques. Due to the dynamic nature and heterogeneous platforms now utilized, legacy firewalls, VLANs, ACLs, and security groups are no longer effective means to segment in the data center environment. The fluid nature of these environments has created enterprise networks that have coarse, flat segments, due to the inability for traditional network security to keep up.

Furthermore, the fact that segmentation best practices in these environments are lacking is made even worse by several trends. IoT and VDI initiatives have added devices and users into data centers but have not been segmented or isolated off create additional risk.  And data centers, often open to include business partners, distributors, customers, contractors, and vendors, are at risk from these third parties who can be considered the weakest links, introducing their own security risks to the supply chain. One can look at several recent examples of “cross-contamination,” where attackers used various methods to breach an enterprise either by targeting a weaker, easier to exploit third party, breached a VDI user, or taken advantage of an IoT device first. Beyond the risk of attack, segmentation is also often required for industry regulatory compliance like SWIFT, PCI, HIPPA, and others. Facing potential regulatory penalties, enterprises need to be able to demonstrate they are taking appropriate measures to be compliant by isolating particular workloads, assets, and applications.

For all these reasons, operators of these enterprise environments are taking a closer look at modern, software-defined segmentation techniques. Advances in modern segmentation have made it a viable option for all types of companies. Addressing key portions of the people, workloads, and network elements of the model, modern segmentation is arguably the optimal choice for achieving zero-trust security. Of equal importance, with the right tools and a little thoughtful planning, modern segmentation can be implemented more quickly and easily than the aforementioned methods and is easier to manage and maintain as well. In fact, recent testing has demonstrated that modern segmentation can reduce time to deployment as much as 30 times compared to traditional firewall implementation.  Those time savings and efficiencies translate to significantly lower costs over the deployment lifecycle.

The limits to legacy methods of segmentation

To understand the advantages of segmentation, it is useful for comparative purposes to look at some of the drawbacks and limitations of standard techniques employed both on-premise and in the cloud. These might include some combination of physical or virtualized firewalls, VLANs, ACLs, and virtualized private clouds (VPCs) use of security groups. In general, these methods are resource and labor intensive. Creating security policies is a cumbersome process. Moves, adds, changes, and deletes need to be performed manually, creating a drag on ongoing operational efficiency and raising the risk of vulnerability.

Firewalls, even when virtualized are expensive to acquire and complex to set up. They also create circuitous “hairpins” that ultimately impede system performance. As the industry is learning, firewalls are not intended for segmentation within the data center, and, in fact, some providers will readily admit that firewalls simply don’t belong there.

Perhaps the greatest drawback, however, is that conventional security controls (firewalls, VLANs, ACLs, VPC, security groups) do not reduce the attack surface sufficiently. Cloud-based security groups, hypervisor firewalls and other traditional techniques focus only on the machine and port level rather than providing protection at the application process level. This means any processes, including malicious ones, can easily get by port-based rules, thereby exposing applications to threats that have successfully breached the perimeter.

Next page: Modern segmentation steps in 

Modern segmentation steps in

Modern segmentation overcomes the inherent inefficiencies of traditional techniques and, perhaps more importantly, results in stronger security for enterprise environments. Furthermore, it takes the concept of network segmentation down to a very granular, process-to-process level. It entails the creation of security policies around individual or logically grouped applications, regardless of where they reside in the hybrid data center. These policies dictate which applications can and cannot communicate with each other – true zero trust at the application level. Segmentation also makes it possible to apply policies in a dynamic fashion, so that as new workloads are spun up or down−or even moved, they are attributed to the correct policy automatically. This saves considerable resources by eliminating the need for manual moves, adds, changes, and deletes.

The key to implementing modern segmentation is to begin the process with a graphic visualization of all assets in the environment, whether bare metal, virtual machines or containers, and the dependencies between them. This deep visibility dramatically accelerates the process of identifying, grouping and creating security policies around the tiers of the applications.

By using modern segmentation enterprise administrators can provide security and enforcement at the application and process level, containing threats and alerting operators to their presence. In this way, modern segmentation is the most effective solution for reducing a company’s attack surface and risk profile.  By enabling up to 30 times faster deployment than firewalls, and greater operational efficiency through simplified management, segmentation reduces both capital and ongoing operating expenditure compared to traditional techniques. Above all, a stronger security posture means reduced risks and liabilities without sacrificing any increased speed of innovation.